OpenAI flags macOS supply‑chain issue
OpenAI warned macOS users about a security issue tied to a third‑party developer tool and said it was taking steps to protect the process that certifies macOS apps as legitimate, adding that user data was not accessed. The company urged users to update ChatGPT desktop apps after the supply‑chain compromise was linked to a widely used JavaScript library. (reuters.com)
OpenAI told macOS users to update ChatGPT and other desktop apps after a software supply-chain attack touched the company’s app-signing process. (openai.com) On March 31, 2026, a compromised version of the JavaScript library Axios, version 1.14.1, was downloaded and run inside a GitHub Actions workflow OpenAI used to sign macOS apps. That workflow had access to the certificate and notarization material for ChatGPT Desktop, Codex, Codex Command Line Interface, and Atlas. (openai.com) App signing is the digital stamp that tells a Mac an app really came from the named developer. OpenAI said it found no evidence that user data, systems, intellectual property, or published software were compromised, but it is revoking and rotating the certificate anyway. (openai.com) The immediate risk was not a breach of chats or accounts. OpenAI said the update is meant to block the possibility that someone could try to distribute a fake macOS app that appears to be an official OpenAI release. (openai.com) The company said the affected workflow’s certificate was “likely not successfully exfiltrated” because of the timing of the malicious payload and the order in which the job ran. CNBC reported OpenAI also said the root cause was a GitHub Actions misconfiguration that has now been fixed. (openai.com) (cnbc.com) OpenAI said Apple is being asked to ensure software signed with the old certificate cannot be newly notarized, and the company reviewed prior notarizations to check for unexpected software signed with those keys. Reuters and CNBC both reported the broader Axios compromise was part of an industry-wide campaign linked by researchers to North Korean actors. (openai.com) (cnbc.com) (reuters.com) The cutoff date is May 8, 2026. OpenAI said older macOS versions of ChatGPT Desktop, Codex App, Codex Command Line Interface, and Atlas will stop receiving updates and support after that date and may stop functioning. (openai.com) The first macOS releases signed with the new certificate are ChatGPT Desktop 1.2026.051, Codex App 26.406.40811, Codex Command Line Interface 0.119.0, and Atlas 1.2026.84.2. OpenAI said users should update through the app itself or through the company’s official download pages. (openai.com) OpenAI said passwords and OpenAI application programming interface keys were not affected. For Mac users, this is now a software update story: install the new build before May 8 or risk running an unsupported app. (cnbc.com)
